07-01-2019 06:39 AM - edited 02-21-2020 09:15 AM
FTD and OSPF MD5 authentication
Hi all,
I am trying to get OSPF authentication working between router 4451 interface and FTD 550x-X with FTD image, managed by FMC.
Connectivity works and also OSPF adjacency is up, without authentication is used. So it's not any of the usual issues like MTU etc. When I switch to MD5, adjacency is stuck at INIT.
could someone advise where to look to remove this issue.
Kind regards
zee
Solved! Go to Solution.
07-01-2019 07:23 PM
There was a similar question asked (and answered) a couple of months ago.
Have you tried the recommended solution?
https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101
07-02-2019 12:40 AM
07-02-2019 12:42 AM
Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.
Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris
2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor
Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later
ASR1K <--- OSPF ---> ASA FW
Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable
Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls
Kind regards
Zeeshan
07-01-2019 07:23 PM
There was a similar question asked (and answered) a couple of months ago.
Have you tried the recommended solution?
https://community.cisco.com/t5/firepower/ftd-and-ospf-md5-authentication/td-p/3404101
07-02-2019 12:40 AM
07-02-2019 12:42 AM
Hi Marvin,
Thanks for help. i have find out solution under CSCvg78868. just disable the LLS TLV OSPF feature on the router side and its work.
Symptom:
ASA with 9.3.1 or a later release discards OSPF hello packets; this is usually seen after SW upgrades of the OSPF neighbor, i.e. any IOS-XE device running on Polaris
2-way state is never reached, instead the OSPF session remains in INIT/DROTHER and below error message is logged on the firewall:
ASA5525/act#OSPF: OSPF: Rcv pkt from ABC123 src 10.10.10.5 dst 224.0.0.6 id 10.10.10.5 type 4 if_state 5 : ignored due to unknown neighbor
Conditions:
OSPF speaker #1: ASA with 9.3.1 or a later release
OSPF speaker #2: Cisco IOS-XE router/switch running on 16.5.1 or later
ASR1K <--- OSPF ---> ASA FW
Workaround:
Workaround #1: disable LLS on interface-level
ASR1K(config)#int GigabitEthernet0/0/0.333
ASR1K(config-subif)#ip ospf lls disable
Workaround #2: disable LLS capability in the OSPF process
ASR1K(config)#router ospf 600 vrf VRF600
ASR1K(config-router)#no capability lls
Kind regards
Zeeshan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide